How to set up Windows Firewall to limit network access

By enabling Windows Firewall with the proper settings, you can help shut out attackers and limit lateral movement if a breach occurs.

CSO > Security mechanisms vs. fiery threats
Matejmo / Getty Images

To properly protect your network, you need to know who and what has access to your network, and where all sensitive information is located. To better control access, start by limiting the devices that are on the same subnet to only those required for key business needs.

The Center for Internet Security advises, “Segment the network based on the label or classification level of the information stored on the servers. Locate all sensitive information on separated VLANS with firewall filtering to ensure that only authorized individuals are only able to communicate with systems necessary to fulfill their specific responsibilities.”

Rapid7 suggests you classify the data in your network based on its sensitivity. You can set several levels based on your firm’s needs.  

  • Level 1: Data for public consumption. Data that may be freely disclosed.
  • Level 2: Internal data not for public disclosure.
  • Level 3: Sensitive internal data that if disclosed, could affect the company.
  • Level 4: Highly sensitive corporate, employee and customer data.

Given that Level 1 is purposely set for public access, you’ll want to to ensure that the public data isn’t stored on the same servers as the highly sensitive data.

Set up Windows Firewall rules

Even on the workstation level, host-based firewalls should be set and enforced to only allow the minimum access required. If you are already doing so, enable Windows Firewall on workstations in your network and use Group Policy to set appropriate firewall rules. Windows Firewall can help keep attackers from moving laterally inside an organization. For example, attackers typically use off-the-shelf tools like PsExec, command-line utilities, or Eternal Blue exploits. Blocking Server Message Block (SMB) and Remote Procedure Call (RPC) between endpoints using Windows Firewall hampers an attacker’s impact.

Ensure that Windows Firewall is on by default and inbound connections are blocked by default. Regularly review rules that have been set up on workstations to ensure that nothing has been tampered with.

bradley firewall 1 Susan Bradley

Advanced Windows Firewall settings

Set up a Group Policy to block outbound connections to RCP port (TCP port 135) and SMB (TCP port 445) if you can. Note: Blocking port 445 with older applications that require SMB may be difficult, so test the impact to your network.

Be wary of using Remote Desktop Protocol

If you use Remote Desktop Protocol (RDP) (TCP port 3389) to access servers and workstations, reconsider that policy as well. Ransomware attackers use collected usernames and passwords from breached credential sites to attack networks. Once the harvested credentials are used to gain access to the network over RDP, attackers will move laterally inside the network. They often lay low and take no action for a few days or weeks to ensure that they have full access to the network. They then launch the ransomware attack. If you must have access for certain processes, ensure that only trusted sources have access to the ports you make available for access.

To control Windows Firewall with Group Policy settings, access the Group Policy configuration located under Computer > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security. You can also set the firewall policies with the PowerShell command Get-NetFirewallProfile to review the setting. You can also use the command line instruction netsh advfirewall show allprofiles.

When setting firewall policies, think in terms of what organizational units you have in your network and consider using them as policy boundaries. Using these natural organizational unit boundaries provides limits for lateral movement in your organization.

You can set Windows Firewall rules to allow only authorized users from authorized computers. First, set the connection to only allow secure connections:

bradley firewall 2 Susan Bradley

Restrict access to secure connections

Once you have done so, you can restrict access to specific computers or users:

bradley firewall 3 Susan Bradley

Sample Windows Firewall policies showing section for authorized users

You can set the tabs in Windows Firewall for Local Principals, Remote Users and Remote Computers to allow communication from specific users or specific computers. IPsec has been around for many years and can be used to set up secure communication between workstations and servers. The connections can be for both inbound and outbound traffic.

bradley firewall 4 Susan Bradley

Sample Windows Firewall section showing authorized computers

Don’t forget to sign up for TechTalk from IDG the new YouTube channel for tech news of the day.

Copyright © 2020 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline